Reputation: 53607
IS OAuth secure enough, I see client secret is being past via the client side
I am going over this example: https://www.digitalocean.com/community/tutorials/how-to-use-oauth-authentication-with-digitalocean-as-a-user-or-developer
After I get the code (user has authenticated on the authentication service provider), I submit another POST to that server, which this time includes the client_Secret.
https://cloud.digitalocean.com/v1/oauth/token?client_id=client_id&client_secret=client_secret&code=code_from_user_redirect&grant_type=authorization_code&redirect_uri=callback_URL
Shouldn't this part be hidden and done on the server side only?
Is there another layer of security I am missing here?
(This is browser based flow).
Upvotes: 0
Views: 217
Answers (1)
Reputation: 460
This is because the example is for the authorization code grant type, which, as you also mentioned, shouldn't be used by client applications as it would reveal the client secret.
If you're going to use a client side app (mobile app, JavaScript etc.), you should prefer the implicit grant type. You'll directly get an access token, but the downside is that you won't have the option of a refresh token. Here's the DigitalOcean doc for further details.
Upvotes: 0
Related Questions
- client secret in OAuth 2.0
- OAuth using client_id and client secret for token request, is it secure?
- Storing client secret on client side
- Client authentication on Public Client
- Can Oauth be used securely from the client side for a back-end service?
- OAuth2 - how to authorize without client secret?
- OAuth2 without Client Secret – Possible Phishing?
- OAuth2 Sending Client secret in authorization step
- How and why ot protect client secret in oauth2
- OAuth authentication client side security issues